Struct android_tools::java_tools::JarSigner
source ¡ [−]pub struct JarSigner { /* private fields */ }
Expand description
Signs and verifies Java Archive (JAR) files
Implementations
sourceimpl JarSigner
impl JarSigner
sourcepub fn keystore(&mut self, keystore: &Path) -> &mut Self
pub fn keystore(&mut self, keystore: &Path) -> &mut Self
Specifies the URL that tells the keystore location. This defaults to the file
.keystore
in the userâs home directory, as determined by the user.home
system
property. A keystore is required when signing. You must explicitly specify a
keystore when the default keystore does not exist or if you want to use one other
than the default. A keystore is not required when verifying, but if one is
specified or the default exists and the -verbose
option was also specified, then
additional information is output regarding whether or not any of the certificates
used to verify the JAR file are contained in that keystore. The -keystore
argument
can be a file name and path specification rather than a URL, in which case it is
treated the same as a file: URL, for example, the following are equivalent:
* `-keystore filePathAndName`
* `-keystore file:filePathAndName`
If the Sun PKCS #11 provider was configured in the java.security security
properties file (located in the JREâs $JAVA_HOME/lib/security directory
), then the
keytool and jarsigner tools can operate on the PKCS #11 token by specifying these
options:
* `-keystore NONE`
* `-storetype PKCS11`
For example, the following command lists the contents of the configured PKCS#11 token:
* `keytool -keystore NONE -storetype PKCS11 -list`
sourcepub fn storepass(&mut self, storepass: String) -> &mut Self
pub fn storepass(&mut self, storepass: String) -> &mut Self
Specifies the password that is required to access the keystore. This is only
needed when signing (not verifying) a JAR file. In that case, if a -storepass
option is not provided at the command line, then the user is prompted for the
password. If the modifier env or file is not specified, then the password has the
value argument. Otherwise, the password is retrieved as follows:
env:
Retrieve the password from the environment variable named argumentfile:
Retrieve the password from the file named argument
sourcepub fn storetype(&mut self, storetype: String) -> &mut Self
pub fn storetype(&mut self, storetype: String) -> &mut Self
Specifies the type of keystore to be instantiated. The default keystore type is
the one that is specified as the value of the keystore.type
property in the
security properties file, which is returned by the static getDefaultType
method
in java.security.KeyStore
. The PIN for a PCKS #11 token can also be
specified with the -storepass
option. If none is specified, then the keytool
and jarsigner
commands prompt for the token PIN. If the token has a protected
authentication path (such as a dedicated PIN-pad or a biometric reader), then
the -protected
option must be specified and no password options can be
specified
sourcepub fn keypass(&mut self, keypass: String) -> &mut Self
pub fn keypass(&mut self, keypass: String) -> &mut Self
Specifies the password used to protect the private key of the keystore entry addressed by the alias specified on the command line. The password is required when using jarsigner to sign a JAR file. If no password is provided on the command line, and the required password is different from the store password, then the user is prompted for it
If the modifier env or file is not specified, then the password has the value argument. Otherwise, the password is retrieved as follows:
env:
Retrieve the password from the environment variable named argumentfile:
Retrieve the password from the file named argument
Note
The password should not be specified on the command line or in a script unless it is for testing purposes, or you are on a secure system
sourcepub fn certchain(&mut self, certchain: &Path) -> &mut Self
pub fn certchain(&mut self, certchain: &Path) -> &mut Self
Specifies the certificate chain to be used when the certificate chain associated with the private key of the keystore entry that is addressed by the alias specified on the command line is not complete. This can happen when the keystore is located on a hardware token where there is not enough capacity to hold a complete certificate chain. The file can be a sequence of concatenated X.509 certificates, or a single PKCS#7 formatted data block, either in binary encoding format or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard
sourcepub fn sigfile(&mut self, sigfile: &Path) -> &mut Self
pub fn sigfile(&mut self, sigfile: &Path) -> &mut Self
Specifies the base file name to be used for the generated .SF
and .DSA
files. For
example, if file is DUKESIGN, then the generated .SF and .DSA files are named
DUKESIGN.SF
and DUKESIGN.DSA
, and placed in the META-INF directory of the signed
JAR file
The characters in the file must come from the set a-zA-Z0-9_-. Only letters, numbers, underscore, and hyphen characters are allowed. All lowercase characters are converted to uppercase for the .SF and .DSA file names
If no -sigfile option appears on the command line, then the base file name for the
.SF
and .DSA
files is the first 8 characters of the alias name specified on
the command line, all converted to upper case. If the alias name has fewer
than 8 characters, then the full alias name is used. If the alias name
contains any characters that are not valid in a signature file name, then each
such character is converted to an underscore (_) character to form the file
name
sourcepub fn sigalg(&mut self, sigalg: String) -> &mut Self
pub fn sigalg(&mut self, sigalg: String) -> &mut Self
Specifies the name of the signature algorithm to use to sign the JAR file
For a list of standard signature algorithm names, see âAppendix A: Standard Namesâ in the Java Cryptography Architecture (JCA) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
This algorithm must be compatible with the private key used to sign the JAR file.
If this option is not specified, then SHA1withDSA
, SHA256withRSA
, or
SHA256withECDSA
are used depending on the type of private key. There must either
be a statically installed provider supplying an implementation of the specified
algorithm or the user must specify one with the -providerClass
option; otherwise,
the command will not succeed
sourcepub fn verbose(&mut self, verbose: bool) -> &mut Self
pub fn verbose(&mut self, verbose: bool) -> &mut Self
When the -verbose
option appears on the command line, it indicates verbose mode,
which causes jarsigner to output extra information about the progress of the JAR
signing or verification
sourcepub fn certs(&mut self, certs: bool) -> &mut Self
pub fn certs(&mut self, certs: bool) -> &mut Self
If the -certs
option appears on the command line with the -verify
and -verbose
options, then the output includes certificate information for each signer of the
JAR file. This information includes the name of the type of certificate (stored in
the .DSA
file) that certifies the signerâs public key, and if the certificate is
an X.509 certificate (an instance of the java.security.cert.X509Certificate
), then
the distinguished name of the signer
The keystore is also examined. If no keystore value is specified on the command line, then the default keystore file (if any) is checked. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses
sourcepub fn tsa(&mut self, tsa: &Path) -> &mut Self
pub fn tsa(&mut self, tsa: &Path) -> &mut Self
If -tsa appears on the command line when signing a JAR file
then a time stamp is generated for the signature. The URL,
identifies the location of the Time Stamping Authority (TSA) and overrides any URL
found with the -tsacert option. The -tsa
option does not require the TSA public
key certificate to be present in the keystore
To generate the time stamp, jarsigner communicates with the TSA with the Time-Stamp Protocol (TSP) defined in RFC 3161. When successful, the time stamp token returned by the TSA is stored with the signature in the signature block file
sourcepub fn tsacert(&mut self, tsacert: String) -> &mut Self
pub fn tsacert(&mut self, tsacert: String) -> &mut Self
When -tsacert
alias appears on the command line when signing a JAR file, a time
stamp is generated for the signature. The alias identifies the TSA public key
certificate in the keystore that is in effect. The entryâs certificate is examined
for a Subject Information Access extension that contains a URL identifying the
location of the TSA
The TSA public key certificate must be present in the keystore when using the
-tsacert
option
sourcepub fn tsapolicyid(&mut self, tsapolicyid: String) -> &mut Self
pub fn tsapolicyid(&mut self, tsapolicyid: String) -> &mut Self
TSAPolicyID for Timestamping Authority
sourcepub fn tsadigestalg(&mut self, tsadigestalg: String) -> &mut Self
pub fn tsadigestalg(&mut self, tsadigestalg: String) -> &mut Self
Algorithm of digest data in timestamping request
sourcepub fn altsigner(&mut self, altsigner: String) -> &mut Self
pub fn altsigner(&mut self, altsigner: String) -> &mut Self
Class name of an alternative signing mechanism (This option is deprecated and will be removed in a future release.)
sourcepub fn altsignerpath(&mut self, altsignerpath: &[PathBuf]) -> &mut Self
pub fn altsignerpath(&mut self, altsignerpath: &[PathBuf]) -> &mut Self
Location of an alternative signing mechanism (This option is deprecated and will be removed in a future release.)
sourcepub fn internalsf(&mut self, internalsf: bool) -> &mut Self
pub fn internalsf(&mut self, internalsf: bool) -> &mut Self
Include the .SF
file inside the signature block
sourcepub fn sectionsonly(&mut self, sectionsonly: bool) -> &mut Self
pub fn sectionsonly(&mut self, sectionsonly: bool) -> &mut Self
Donât compute hash of entire manifest
sourcepub fn protected(&mut self, protected: bool) -> &mut Self
pub fn protected(&mut self, protected: bool) -> &mut Self
Keystore has protected authentication path
sourcepub fn provider_name(&mut self, provider_name: String) -> &mut Self
pub fn provider_name(&mut self, provider_name: String) -> &mut Self
Provider name
sourcepub fn addprovider(&mut self, addprovider: String) -> &mut Self
pub fn addprovider(&mut self, addprovider: String) -> &mut Self
Add security provider by name (e.g. SunPKCS11) add security provider by fully-qualified class name
sourcepub fn provider_class(&mut self, provider_class: String) -> &mut Self
pub fn provider_class(&mut self, provider_class: String) -> &mut Self
Configure argument for -addprovider
sourcepub fn provider_arg(&mut self, provider_arg: &Path) -> &mut Self
pub fn provider_arg(&mut self, provider_arg: &Path) -> &mut Self
Configure argument for -providerClass
sourcepub fn verify(&mut self, verify: bool) -> &mut Self
pub fn verify(&mut self, verify: bool) -> &mut Self
The -verify
option can take zero or more keystore alias names after the JAR file
name. When the -verify
option is specified, the jarsigner command checks that the
certificate used to verify each signed entry in the JAR file matches one of the
keystore aliases. The aliases are defined in the keystore specified by -keystore
or the default keystore.
If you also specified the -strict
option, and the jarsigner command detected
severe warnings, the message, âjar verified, with signer errorsâ is displayed
Trait Implementations
Auto Trait Implementations
impl RefUnwindSafe for JarSigner
impl Send for JarSigner
impl Sync for JarSigner
impl Unpin for JarSigner
impl UnwindSafe for JarSigner
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable ¡ sourcefn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more